From 85967440afa709e41691d5def772d70f3253bd28 Mon Sep 17 00:00:00 2001
From: Martin Weinelt <hexa@darmstadt.ccc.de>
Date: Thu, 5 Mar 2026 12:51:20 +0100
Subject: [PATCH] docs: configure ACME HTTP-01 with nginx in setup example

---
 docs/release-notes.rst |  2 ++
 docs/setup-example.nix | 10 ++++++----
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/docs/release-notes.rst b/docs/release-notes.rst
index a3be6b4..67a4f3f 100644
--- a/docs/release-notes.rst
+++ b/docs/release-notes.rst
@@ -10,12 +10,14 @@ NixOS 26.05
   and private key using :option:`mailserver.x509.certificateFile` and
   :option:`mailserver.x509.privateKeyFile` instead. Support for automatic
   creation of self-signed certificates has been removed.
+  Check the updated `setup guide`_ for a basic ACME HTTP-01 example.
 - Cleartext password files can now be configured for login accounts. This
   is an alternative to hashed passwords that integrates well with workflows
   establishsed by `agenix`_/`sops-nix`_ that rely on encryption. This option
   prevents files from leaking in to the Nix store.
   See :option:`mailserver.loginAccounts.<name>.passwordFile`.
 
+.. _setup guide: setup-guide.html#setup-the-server
 .. _agenix: https://github.com/ryantm/agenix
 .. _sops-nix: https://github.com/Mic92/sops-nix
 
diff --git a/docs/setup-example.nix b/docs/setup-example.nix
index 0a9fb53..e25f0b1 100644
--- a/docs/setup-example.nix
+++ b/docs/setup-example.nix
@@ -16,12 +16,14 @@
   security.acme = {
     acceptTerms = true;
     defaults.email = "security@example.com";
-    certs.${config.mailserver.fqdn} = {
-      # Further setup required, check the manual:
-      # https://nixos.org/manual/nixos/stable/#module-security-acme
-    };
   };
 
+  # Allow incoming HTTP connections
+  networking.firewall.allowedTCPPorts = [ 80 ];
+
+  # Enable ACME HTTP-01 challenge with nginx
+  services.nginx.virtualHosts.${config.mailserver.fqdn}.enableACME = true;
+
   mailserver = {
     enable = true;
     stateVersion = 3;